commit: 378cc415b5f2c883b17f5cc2b08d49ce21b8557c Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Feb 15 15:22:23 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Feb 15 16:56:50 2026 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=378cc415
bintree: run trust helper when any binrepos.conf has verify-signature enabled too If any binary hosts in binrepos.conf have `verify-signature` enabled, we need to run the trust helper. Also, drop the comment because this isn't a problem now with the simplified logic of binrepos.conf handling for this (see c3fa8f90327227df7b1fd098cf1a977ccacf3c42). Bug: https://bugs.gentoo.org/969187 Signed-off-by: Sam James <sam <AT> gentoo.org> lib/portage/dbapi/bintree.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/portage/dbapi/bintree.py b/lib/portage/dbapi/bintree.py index 73962d4498..60a7306697 100644 --- a/lib/portage/dbapi/bintree.py +++ b/lib/portage/dbapi/bintree.py @@ -1387,11 +1387,10 @@ class binarytree: self._remote_has_index = False self._remotepkgs = {} - if "binpkg-request-signature" in self.settings.features: - # This is somewhat broken, we *should* run the trust helper always - # when binpackages are involved, not only when we refuse unsigned - # ones. (If the keys have expired we end up refusing signed but - # technically invalid packages...) + need_trust_helper = "binpkg-request-signature" in self.settings.features or any( + repo.verify_signature for repo in self._binrepos_conf.values() + ) + if need_trust_helper: if not pretend and self.dbapi.writable and portage.data.secpass >= 2: self._run_trust_helper() gpkg_only = True
